#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

banking Trojan | Breaking Cybersecurity News | The Hacker News

Emotet Malware Makes a Comeback with New Evasion Techniques

Emotet Malware Makes a Comeback with New Evasion Techniques
Jan 24, 2023 Cyber Threat / Cyber Crime
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially  reemerged  in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as  TA542  (aka Gold Crestwood or Mummy Spider), the virus has  evolved  from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an  SMB spreader  that's designed to facilitate lateral movement using a list of h

Android Users Beware: New Hook Malware with RAT Capabilities Emerges

Android Users Beware: New Hook Malware with RAT Capabilities Emerges
Jan 19, 2023 Mobile Security / Android
The threat actor behind the  BlackRock  and  ERMAC  Android banking trojans has unleashed yet another malware for rent called  Hook  that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a  report  shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring "all the capabilities of its predecessor." "In addition, it also adds to its arsenal Remote Access Tooling (RAT) capabilities, joining the ranks of families such as  Octo  and  Hydra , which are capable performing a full Device Take Over (DTO), and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels," the Dutch cybersecurity firm said. A majority of the financial apps targeted by the malware are located in the U.S., Spain, Australia, Poland, Canada, Turkey, the U.K., Fran

GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps

GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps
Dec 21, 2022 Mobile Security / Banking Trojan
An Android banking trojan known as  GodFather  is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. The malware, like  many   financial   trojans  targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications. First detected by Group-IB in June 2021 and  publicly disclosed  by ThreatFabric in March 2022, GodFather also packs in native backdoor features that allows it to abuse Android's Accessibility APIs to record videos, log keystrokes, capture screenshots, and harvest SMS and call logs. Group-IB's analysis of the malware has revealed it to be a successor of  Anubis

These Dropper Apps On Play Store Targeting Over 200 Banking and Cryptocurrency Wallets

These Dropper Apps On Play Store Targeting Over 200 Banking and Cryptocurrency Wallets
Oct 28, 2022
Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like  SharkBot  and  Vultur , which are capable of stealing financial data and performing on-device fraud. "These droppers continue the unstopping evolution of malicious apps sneaking to the official store," Dutch mobile security firm ThreatFabric told The Hacker News in a statement. "This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser." Targets of these  droppers  include 231 banking and cryptocurrency wallet apps from financial institutions in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands. Dropper apps on official app stores like Google Play have  increasingly   become  a popular and efficient technique to distribute banking m

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan
Sep 05, 2022
The notorious Android banking trojan known as  SharkBot  has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT  said  in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria - Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads) Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads) The  droppers  are designed to drop a new version of SharkBot,  dubbed V2  by Dutch security firm ThreatFabric, which features an updated co

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers
Aug 20, 2022
Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the  Grandoreiro  banking trojan.  "In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler  said  in a report. The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain. Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive

SOVA Android Banking Trojan Returns With New Capabilities and Targets

SOVA Android Banking Trojan Returns With New Capabilities and Targets
Aug 15, 2022
The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out. That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K. SOVA, meaning Owl in Russian, came to light in  September 2021  when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android's Accessibility services. In less than a year, the trojan has also acted as a foundation for another Android malware called  MaliBot  that's designed to target online banking and cryptocurrency wallet custo

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France
Jul 25, 2022
The mobile threat campaign tracked as  Roaming Mantis  has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded its targeting to include European countries. No fewer than 70,000 Android devices are said to have been infected as part of the active malware operation, Sekoia said in a report published last week. Attack chains involving  Roaming Mantis , a financially motivated Chinese threat actor, are known to either deploy a piece of banking trojan named MoqHao (aka XLoader) or redirect iPhone users to credential harvesting landing pages that mimic the iCloud login page. "MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS," Sekoia researchers  said . It all starts with a phishing SMS, a technique known as smishing, enticing users with package delivery-themed messages containing rogue links, that, when clic

MaliBot: A New Android Banking Trojan Spotted in the Wild

MaliBot: A New Android Banking Trojan Spotted in the Wild
Jun 16, 2022
A new strain of Android malware has been spotted in the wild targeting online banking and cryptocurrency wallet customers in Spain and Italy, just weeks after a coordinated law enforcement operation dismantled  FluBot . The information stealing trojan, codenamed  MaliBot  by F5 Labs, is as feature-rich as its  counterparts , allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android's Accessibility Service to monitor the victim's device screen. MaliBot is known to primarily disguise itself as cryptocurrency mining apps such as Mining X or The CryptoApp that are distributed via fraudulent websites designed to attract potential visitors into downloading them. It also takes another leaf out of the mobile banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an infected smartphone's contacts and sending SMS messages containing links to the malware. "Mal

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise
May 31, 2022
An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF). Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal. "The most worrying leitmotif is the increasing attention to On-Device Fraud (ODF)," Dutch cybersecurity company ThreatFabric  said  in a report shared with The Hacker News. "Just in the first five months of 2022 there has been an increase of more than 40% in malware families that abuse Android OS to perform fraud using the device itself, making it almost impossible to detect them using traditional fraud scoring engines." Hydra ,  FluBot  (aka Cabassous),  Cerberus ,  Octo , and  ERMAC  accounted for the most active banking trojans based on the number of samples observed during the same

New Octo Banking Trojan Spreading via Fake Apps on Google Play Store

New Octo Banking Trojan Spreading via Fake Apps on Google Play Store
Apr 08, 2022
A number of rogue Android apps that have been cumulatively installed from the official Google Play Store more than 50,000 times are being used to target banks and other financial entities. The rental banking trojan, dubbed  Octo , is said to be a rebrand of another Android malware called ExobotCompact, which, in turn, is a "lite" replacement for its Exobot predecessor, Dutch mobile security firm ThreatFabric  said  in a report shared with The Hacker News. Exobot is also likely said to have paved the way for a separate descendant called Coper, that was initially  discovered  targeting Colombian users around July 2021, with newer infections targeting Android users in different European Countries. "Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts," Cybersecurity company Cyble  noted  in an analysis of the malware last month. Like other Android banking trojans, the rogue apps

Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users

Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users
Apr 06, 2022
Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021. The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News. The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. "The threat actors use these fake e-shop applications to phish for banking credentials," ESET  said . "The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank." The targeted banks include Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. Th

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware
Mar 28, 2022
A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report shared with The Hacker News. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. IcedID, aka BokBot, like its counterparts TrickBot and  Emotet , is a  banking trojan  that has evolved to become an entry point for more sophisticated threats, including hu

SharkBot Banking Malware Spreading via Fake Android Antivirus App on Google Play Store

SharkBot Banking Malware Spreading via Fake Android Antivirus App on Google Play Store
Mar 07, 2022
The threat actor behind a nascent Android banking trojan named  SharkBot  has managed to evade Google Play Store security barriers by masquerading as an antivirus app. SharkBot, like its malware counterparts  TeaBot ,  FluBot , and  Oscorp  (UBEL), belongs to a category of financial trojans capable of siphoning credentials to initiate money transfers from compromised devices by circumventing multi-factor authentication mechanisms. It first emerged on the scene in November 2021. Where SharkBot stands apart is in its ability to carry out the unauthorized transactions via Automatic Transfer Systems (ATS), which stands in contrast to TeaBot, which requires a live operator to interact with the infected devices to conduct the malicious activities. "The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers," Alberto Segura and Rolf Govers, malware analysts at cybersecurity firm NCC Group,  said

New Android Banking Trojan Spreading via Google Play Store Targets Europeans

New Android Banking Trojan Spreading via Google Play Store Targets Europeans
Feb 21, 2022
A new Android banking trojan with over 50,000 installations has been observed distributed via the official Google Play Store with the goal of targeting 56 European banks and carrying out harvesting sensitive information from compromised devices. Dubbed  Xenomorph  by Dutch security firm ThreatFabric, the in-development malware is said to share overlaps with another banking trojan tracked under the moniker Alien while also being "radically different" from its predecessor in terms of the functionalities offered. "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA

Medusa Android Banking Trojan Spreading Through Flubot's Attacks Network

Medusa Android Banking Trojan Spreading Through Flubot's Attacks Network
Feb 08, 2022
Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric. The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of "app names, package names, and similar icons," the Dutch mobile security firm said. Medusa, first discovered targeting Turkish financial organizations in July 2020, has undergone several iterations, chief among which is the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker. "Medusa sports other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all these capabilities provide actors with almost full access to [a] victim's device," the researchers  said . The malware-ridden apps used in conjunction with Flu

Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions

Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions
Jan 27, 2022
A financially-motivated malware campaign has compromised over 800 WordPress websites to deliver a banking trojan dubbed Chaes targeting Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. First documented by  Cybereason  in November 2020, the info-stealing malware is delivered via a sophisticated infection chain that's engineered to harvest sensitive consumer information, including login credentials, credit card numbers, and other financial information. "Chaes is characterized by the multiple-stage delivery that utilizes scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi, and malicious Google Chrome extensions," Avast researchers Anh Ho and Igor Morgenstern  said . "The ultimate goal of Chaes is to steal credentials stored in Chrome and intercept logins of popular banking websites in Brazil." The attack sequence is triggered when users visit one of the infected websites
More Resources